Updating FCS and FEP2010 without WSUS

Both FCS and FEP2010 can get updates direct from Microsoft, but their behaviour is different enough to cause confusion.

For an FCS client to update from Microsoft you need to opt the machine into Microsoft Update. Just turning Windows Update on is not enough. Unfortunately FCS doesn't give you any information that anything is wrong - it just reports that there are no updates available. Once you've opted in to Microsoft Update everything is fine.

A FEP2010 client can update from Microsoft without you needing to opt the machine into Microsoft Update.

You can prove this to yourself by creating two vbscripts as supplied below, optinMU.vbs and optoutMU.vbs. Using the scripts to opt in and out of Microsoft Update you can see for yourself the behaviour of FCS and FEP2010. If your machine is configured for WSUS, you can set it to use Windows Update by deleting the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and restarting the Automatic Updates service. While testing you can install the Forefront Client Security client in standalone mode by running CLIENTSETUP.EXE /NOMOM

So, to summarise-

FCS - needs opt in to MU
FEP2010 - no requirement for MU

optinMU.vbs

'from http://msdn.microsoft.com/en-us/library/aa826676(v=vs.85).aspx
Set ServiceManager = CreateObject("Microsoft.Update.ServiceManager")
ServiceManager.ClientApplicationID = "My App"

'add the Microsoft Update Service, GUID
Set NewUpdateService = ServiceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d",7,"")

optoutMU.vbs

Set ServiceManager = CreateObject("Microsoft.Update.ServiceManager")
ServiceManager.ClientApplicationID = "My App"

ServiceManager.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d")

Migrating from Sophos to Forefront Endpoint Protection

One of the great things about deploying FEP 2010 is that it eases the pain of migrating away from your existing antimalware solution. According to the documentation it can detect and remove the following products

• Symantec Endpoint Protection version 11
  
• Symantec Corporate Edition version 10
  
• McAfee VirusScan Enterprise version 8.5 and version 8.7
  
• Trend Micro OfficeScan version 8.0 and version 10.0
  
• Forefront Client Security version 1 including the Operations Manager agent
  

But what if you use Sophos Endpoint Protection?

Sadly, if you're like me you'll have to work it out yourself. Sophos used to provide a script that could uninstall old versions of the client software, however I seem to recall it wasn't officially supported.

The problem with Sophos is that you have two components to remove- the update agent and the antimalware engine.

Both components are installed by MSI packages which are cached in the AutoUpdate folder. So, to perform the uninstall of Sophos you can create a cmd file in your FEP deployment folder with the following lines

msiexec /x "%programfiles%\Sophos\AutoUpdate\Cache\savxp\Sophos Anti-Virus.msi" /qn /quiet /norestart

msiexec /x "%programfiles%\Sophos\AutoUpdate\Cache\sau\Sophos AutoUpdate.msi" /qn /quiet /norestart

FEPInstall.exe /s /q

If you're planning an enterprise deployment you'll probably want to add more error checking in your script, but this should help you get started.

The cache folder can be useful if you still need to deploy Sophos as part of your transition. Create a new package that contains the sau folder from the Cache folder. Create a program with the following command line.

msiexec /i "sophos autoupdate.msi" BOOTSTRAP=NOUPDATE RMSACTION=0 REBOOT=ReallySuppress /qb

This will install the AutoUpdate agent on its own. Once installed, the agent will install the latest version of the antimalware agent from the Central Install Directory.

A final point that applies to both Sophos and Forefront endpoint protection - don't put your antimalware software in your image. Install it as a post-deployment step in your task sequence. This gives you the option to migrate between antimalware packages without the need to recreate your images.

Manually update Forefront Endpoint Protection and Client Security

Sometimes in FEP 2010 and FCS you need to force a signature update. There are two ways of doing this. Firstly, Microsoft supply a download of the latest signatures at this link

http://support.microsoft.com/kb/935934

The package you download can update both FCS and FEP 2010.

To manually start the signature update from the client software run

MpCmdRun.exe -SignatureUpdate

In FCS you should therefore run

C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe -SignatureUpdate

In FEP 2010 you should run

C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe -SignatureUpdate

On Windows 7 you should run MpCmdRun.exe with elevated privileges or from an elevated command prompt.

Don't forget that because the path to the executable contains spaces you'll need to use quotes if run in a Run Command Line step in a Task Sequence.